The Source: Protect your patients from identity theft!
The number of patients affected by medical identity theft increased nearly 22 percent in just the last year, according to a study released in February 2015. Dentists protect their patients’ personal information for obvious ethical reasons and HIPAA compliance. Many times, however, they may not realize that preventing identity theft is another very important reason behind this practice. Processing credit card transactions in a safe manner is crucial to protecting patients from cyber attacks. Whether it’s their health record or credit card information, no one is completely safe. Dentists can take steps, however, to ensure this information is as secure as possible for their patients.
Health Records Under Attack
In 2014, articles in business and medical publications cited alarming statistics regarding electronic breaches in healthcare. They often referred to a McAfee Labs report from November, a February SANS Institute report, and an FBI Private Industry Notification issued in April. The reports revealed the following:
• Cyber criminals are selling health record information on the black market at a rate of $50 per partial health record. That’s astronomical compared to the $1 black market rate a single stolen credit card number garners. Electronic health records are used in filing fraudulent insurance claims, obtaining prescription medication, and conducting other identity theft activities.
• A 600 percent increase in healthcare-record breaches occurred in the first 10 months of 2014, as compared to the same time frame in 2013 (and this is even prior to the well-publicized Anthem BlueCross/Blue Shield incident).
• The direct out-of-pocket costs to victims of medical identity theft are significant. While the financial liability for credit cards is often limited to $50 (and the card itself can be easily cancelled and replaced), a Ponemon Institute study suggests that 65 percent of medical identity theft victims had to pay thousands of dollars to resolve the crime.
• According to the FBI, the healthcare industry “is poorly protected and ill-equipped to handle new cyber threats exposing patient records, billing and payment organizations, and intellectual property.” In healthcare, almost all things digital can be compromised, including radiology imaging software, medical devices, faxes, printers, virtual private networks, and routers. To make matters worse, healthcare-industry IT professionals believe their defenses are adequate “when clearly the data states otherwise.”
You might shrug your shoulders, hope your IT folks are doing a good job, and check your insurance coverage should your records be compromised via a hack attack. But that’s not always good enough.
Compromising Credit Cards
Even though stolen credit card numbers bring in a low black market rate doesn’t mean they aren’t sought after. If you process credit cards online or via Ethernet-based connectivity, your patients’ information could be at risk. To find out how vulnerable your system really is to cyber attacks, follow the payment card industry (PCI) security standards, which require quarterly scans of your network. More than half of the Best Card dental offices getting these network scans fail their first scans despite having anti-malware software, antivirus protection, and a separate wireless network.
The reasons for failure are numerous and can include:
• Not updating to Windows 7 or higher
• Having unused ports left open that need to be closed with their Internet service providers or firewalls
• Having outdated firmware routers
• A lack of patches or updates for software.
It could happen to you, so it’s important to correct any weaknesses you have identified. The good news is getting scans shouldn’t break the bank. (For example, Best Card, endorsed by the WSDA, only charges $36 annually for the mandatory PCI self-assessment questionnaire completion and $20 more for practices that are required or choose to do quarterly scans.) Even offices that swipe credit cards at a terminal using an analog telephone line could be at risk if someone were to attach a skimmer that reads magnetic stripe information. We’ve never heard of this happening in a dental office, but skimmers have been placed on equipment including ATMs and gas pumps. For this reason it’s important to train your staff to verify the identity of anyone who claims to be there to service or re-download your credit card terminal!
Meeting the EMV Deadline
By October 2015, the payment card industry wants your processing equipment to accept credit cards containing integratedcircuit (IC) chips. Europay, MasterCard, and Visa (EMV)-compliant technology is considered safer than the traditional magnetic stripe (magstripe) on credit cards. Come October, your existing equipment won’t cease to function — new terminals will continue to read magnetic stripes. However, if your processing equipment isn’t EMV-compliant by then, your practice might be liable for fraudulent charges. Fortunately, it shouldn’t cost a great deal of money to get updated equipment.
When purchasing EMV-compliant equipment, make sure it’s Near Field Communication-capable to accommodate new payment methods such as Apple Pay, Google Wallet, and contactless credit cards. They say the future is now, and the ever-changing credit card industry is no exception. However, with a handful of small adjustments, you can have your office prepared to greet the future with confidence.
For more information about the material presented in this article, or literature on preventing embezzlement in your practice, contact Best Card at 877-739-3952 or visit www.bestcardteam.com/faqs.
Jennifer Nieto is president of RJ Card Processing Inc. (d/b/a Best Card). Formerly, she was the director of finance for the Colorado Dental Association and an FDIC Bank Examiner/CPA. Best Card is currently endorsed by the Washington State Dental Association and 20 other medical and dental associations or their affiliates.
CNNMoney (New York) Feb. 27, 2015